Anti-money laundering and counter-financing of terrorism (AML/CFT) compliance is no longer a box-ticking exercise for Nigerian financial institutions. With the CBN, NFIU, and international bodies like the FATF raising the bar on enforcement, institutions that treat AML/CFT as an afterthought face regulatory sanctions, licence suspension, and reputational damage. This guide explains what robust AML/CFT compliance actually looks like — and what regulators are looking for when they knock on your door.
The Regulatory Landscape: Who Sets the Rules?
AML/CFT obligations for Nigerian financial institutions are governed by a layered framework of legislation and regulatory guidance. The primary instruments are the Money Laundering (Prevention and Prohibition) Act 2022, the Terrorism (Prevention and Prohibition) Act 2022, and the CBN’s AML/CFT/CPF Risk-Based Supervision Framework.
Day-to-day oversight is shared across several bodies. The Central Bank of Nigeria supervises deposit money banks, microfinance banks, finance companies, and other CBN-licensed institutions. The Securities and Exchange Commission oversees capital market operators. NAICOM regulates insurance companies. And the Nigerian Financial Intelligence Unit (NFIU) serves as the financial intelligence body responsible for receiving, analysing, and disseminating suspicious transaction reports across all sectors.
Key Point: FATF’s 2023 Mutual Evaluation of Nigeria resulted in an “Increased Monitoring” (grey list) status. Nigerian regulators have significantly intensified domestic enforcement activity since then. Institutions that cannot demonstrate compliance maturity are at acute risk of examination findings and formal sanctions.
The Five Pillars of AML/CFT Compliance
A compliance programme that satisfies CBN and NFIU examiners — and genuinely protects your institution — is built on five interconnected pillars.
1. Risk Assessment
Your institution must conduct and document a formal AML/CFT risk assessment covering your customer base, products, delivery channels, and geographic exposure. The assessment must be reviewed at least annually and updated whenever material changes occur in your business model. Risk assessments that are generic or copied from templates consistently attract examiner criticism.
2. Know Your Customer (KYC) and Customer Due Diligence (CDD)
KYC is the foundation of AML/CFT compliance. Every institution must establish the identity of its customers, understand the nature and purpose of the business relationship, and maintain up-to-date records. For higher-risk customers — including politically exposed persons (PEPs), non-resident customers, and businesses in high-risk sectors — enhanced due diligence (EDD) is required. This involves deeper background checks, approval by senior management, and more frequent relationship reviews.
3. Transaction Monitoring
Institutions are required to monitor customer transactions for patterns that deviate from expected behaviour. This requires a combination of automated systems and human review. Thresholds matter: cash transactions above ₦5 million (individuals) or ₦10 million (corporate bodies) must be reported to the NFIU as Currency Transaction Reports (CTRs) within 24 hours. Suspicious transactions must be filed as Suspicious Transaction Reports (STRs) regardless of amount.
4. Suspicious Transaction Reporting
Filing STRs correctly and on time is a legal obligation — and a protected act. Staff who file STRs in good faith are shielded from civil liability under Nigerian law. Institutions must ensure reporting channels are accessible, that staff understand their tipping-off prohibitions, and that STR records are maintained for a minimum of five years.
5. Training and Awareness
All staff — not just compliance officers — must receive regular AML/CFT training. Front-line staff in particular must be trained to recognise red flags, handle suspicious customer behaviour, and follow internal escalation procedures. Training records must be documented and available for examiner review.
What Examiners Look For: Common Findings
Based on M33’s experience supporting institutions through CBN and NFIU examinations, the following gaps are the most frequently cited in examination reports:
- Outdated or generic risk assessment documents not reflecting the institution’s actual customer base
- Incomplete KYC files — particularly missing BVN verification records, corporate beneficial ownership documentation, or source-of-funds information for high-value accounts
- Transaction monitoring systems with thresholds set too high, effectively missing reportable activity
- STR filing delays — reports filed days or weeks after the suspicious activity was identified rather than promptly
- Training records that are non-existent or cannot be produced during examinations
- Compliance officers who lack the independence or seniority to escalate concerns to the board
Examiner Red Flag: A compliance manual that has not been updated since the Money Laundering (Prohibition) Act 2011 immediately signals to examiners that your AML/CFT programme is not current. The 2022 legislation introduced material changes that must be reflected in your documentation.
Building an Effective Compliance Function
The CBN’s Corporate Governance Code and AML/CFT framework require that every licensed institution appoint a Chief Compliance Officer (CCO) at the level of senior management. The CCO must have direct access to the board and must not carry operational responsibilities that could compromise their independence.
Beyond the CCO, effective compliance functions typically include a dedicated AML/CFT team, a board-level committee with oversight responsibility (often the Audit Committee or a standalone Risk and Compliance Committee), and an internal audit function that independently tests compliance controls at least annually.
How M33 Supports AML/CFT Compliance
M33 Nigeria Limited works with financial institutions at every stage of their AML/CFT journey — from initial framework design during the licensing process, to remediation of examination findings, to ongoing advisory and training services. Our team has deep experience with CBN and NFIU examination standards and can help your institution build a compliance programme that is both regulatorily sound and operationally practical.
We also offer targeted training programmes for boards, management, and front-line staff, delivered in partnership with accredited institutes.
Frequently Asked Questions
What is the penalty for failing to file an STR in Nigeria?
Under the Money Laundering (Prevention and Prohibition) Act 2022, failure to file an STR is a criminal offence. Individuals can face imprisonment of up to three years, while institutions face substantial fines. Regulatory sanctions from the CBN — including public censure, fines, and licence conditions — may apply independently.
Does AML/CFT compliance apply to microfinance banks?
Yes. All CBN-licensed institutions, including microfinance banks of all categories, are subject to full AML/CFT obligations. The CBN has increasingly focused examination resources on the microfinance sector given its scale, reach, and cash-intensive operations.
How often should we update our AML/CFT risk assessment?
At minimum, annually. However, the risk assessment should also be reviewed and updated whenever there is a material change in your customer base, product offerings, delivery channels, geographic footprint, or when new guidance is issued by the CBN or NFIU. Treating it as a once-a-year exercise alone is insufficient.
Can a third-party provider handle our KYC verification?
Yes, institutions may rely on third-party KYC service providers, but ultimate responsibility for compliance remains with the institution. The CBN requires that outsourced KYC arrangements be governed by written agreements and that the institution retains the ability to access underlying data at all times.
This article was written by Hans Omang, Director and Principal Consultant at M33 Nigeria Limited, with over 10 years of experience in Nigerian financial regulation and compliance advisory. For support with your AML/CFT framework, contact M33 here.